[
https://issues.apache.org/jira/browse/NUTCH-2786?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Md Mahir Asef Kabir updated NUTCH-2786:
---------------------------------------
Description:
* *Vulnerability Description:* In
“src/plugin/protocol-httpclient/src/java/org/apache/nutch/protocol/httpclient/DummyX509TrustManager.java”
overridden TrustManager methods (i.e. checkClientTrusted and
checkServerTrusted) do not have validation logic for certificates.
* *Reason it’s vulnerable:* It is vulnerable because DummyX509TrustManager
implements X509TrustManager and it overrides the standard TrustManager methods
(i.e. checkClientTrusted and checkServerTrusted) to do nothing but returning
hard-coded *true*. Certificate validation is expected to be handled by these
methods. Doing nothing means no verification.
* *Suggested Fix:* Adding necessary certificate verification logic in the
overridden methods. This is an example code showing a format that can be used
and modified appropriately to implement the certificate validation logic -
https://paste.ubuntu.com/p/jWtH2yTNR8/ .
* *Feedback:* Please select any of the options down below to help us get an
idea about how you felt about the suggestion -
# Liked it and will make the suggested changes
# Liked it but happy with the existing version
# Didn’t find the suggestion helpful
was:
* *Vulnerability Description:* In
“src/plugin/protocol-httpclient/src/java/org/apache/nutch/protocol/httpclient/DummyX509TrustManager.java”
overridden TrustManager methods (i.e. checkClientTrusted and
checkServerTrusted) do not have validation logic for certificates.
* *Reason it’s vulnerable:* It is vulnerable because DummyX509TrustManager
implements X509TrustManager and it overrides the standard TrustManager methods
(i.e. checkClientTrusted and checkServerTrusted) to do nothing but returning
hard-coded *true*. Certificate validation is expected to be handled by these
methods. Doing nothing means no verification.
* *Suggested Fix:* Adding necessary certificate verification logic in the
overridden methods.
* *Feedback:* Please select any of the options down below to help us get an
idea about how you felt about the suggestion -
# Liked it and will make the suggested changes
# Liked it but happy with the existing version
# Didn’t find the suggestion helpful
> TrustManager methods do not have certificate validation logic
> -------------------------------------------------------------
>
> Key: NUTCH-2786
> URL: https://issues.apache.org/jira/browse/NUTCH-2786
> Project: Nutch
> Issue Type: Improvement
> Components: plugin, protocol
> Affects Versions: 1.16
> Reporter: Md Mahir Asef Kabir
> Priority: Major
> Fix For: 1.18
>
>
> * *Vulnerability Description:* In
> “src/plugin/protocol-httpclient/src/java/org/apache/nutch/protocol/httpclient/DummyX509TrustManager.java”
> overridden TrustManager methods (i.e. checkClientTrusted and
> checkServerTrusted) do not have validation logic for certificates.
> * *Reason it’s vulnerable:* It is vulnerable because DummyX509TrustManager
> implements X509TrustManager and it overrides the standard TrustManager
> methods (i.e. checkClientTrusted and checkServerTrusted) to do nothing but
> returning hard-coded *true*. Certificate validation is expected to be handled
> by these methods. Doing nothing means no verification.
> * *Suggested Fix:* Adding necessary certificate verification logic in the
> overridden methods. This is an example code showing a format that can be used
> and modified appropriately to implement the certificate validation logic -
> https://paste.ubuntu.com/p/jWtH2yTNR8/ .
> * *Feedback:* Please select any of the options down below to help us get an
> idea about how you felt about the suggestion -
> # Liked it and will make the suggested changes
> # Liked it but happy with the existing version
> # Didn’t find the suggestion helpful
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
